New Year’s Day 2020. Many are struggling with the well-known late effects after a night of too much drinking and one or two are perhaps sceptical for the first time about New Year’s resolutions that they so laboriously put together the previous week. But what then happens in the spring of 2020 is something no one has or could have taken into account in their plan of action. A small virus from the far China, named “Covid-19”, was to develop into a pandemic in a very short time and hold the entire globe in a firm grip from the spring of 2020. The restrictions in public and private life that became necessary by the pandemic have greatly affected and inevitably changed people’s lifestyles worldwide. The economic and social as well as socio-economic consequences are difficult to foresee or conclusively to predict even after a year of “covid confinement”.
A collapse in economic power (due to various restrictions and/or a wide variety of lockdowns), restrictions on the freedom to travel, the special protection of risk groups, mental overkill of care personnel and much more are the effects that we all perceived at least informally in 2020. The payment industry certainly paid special attention to the resulting changes in the purchasing and payment behaviour of citizens who are so restricted.
At the same time, however, the payment world has also saved and transferred an old boil from 2019 to 2020 – the “Strong Customer Authentication” or SCA, which, according to the European Banking Authority (EBA), had to be switched on by 1 January 2021. At the beginning of 2020, every payment service provider is likely to have counted the upcoming SCA adjustments in its payment systems among the necessary evils rather than among the good resolutions for 2020.
If we look at the past 12 months, we can state with certainty that the SCA mandate, in coexistence with the pandemic, has greatly changed the payment world and even woken up old acquaintances of the payments as from a “Sleeping Beauty” sleep. Perhaps in this case it was not the fair prince who kissed these candidates awake from their “sleep of the century”, but rather the two frightening figures Covid-19 and SCA, which accelerated the awakening with their ugly grimaces.
As we are well aware, at the beginning of 2020, the region around the 11 million metropolis of Wuhan in China “exported” the virus. This then missionized the globe in the shortest possible time in an unprecedented manner. Here in Germany (as well as in many other European countries), the first peak was reached with the first lockdown on 23 March 2020. From a virological point of view, a worldwide spread in only three months can definitely be considered a success.
Compared to this, the SCA measures that were carried out in the same period were rather small, even though they were partially intensified (e.g. at the issuers). Due to the mandates of the credit card organisations, which of course defined their own milestones for 1 January 2021 in line with the EBA’s master plan, the card-issuing institutions certainly had to carry out a significantly higher implementation effort by April 2020 than was the case on the acceptance side in the same period – hence only a partial effort by the payment service provider ecosystem.
But also on the acceptance side, mandates from the credit card organisations were defined as requirements and applied into their calendar, which then hit them from the middle of the year onwards (EMV 3DS2.1+ mandate as of 01.07.2020 and the EMV 3DS 2.2 mandate for Visa as of 18.10.2020). This ecosystem on the acceptance side – consisting of acquirers, their processors, the payment service providers, the network service providers and the 3DS2 service providers – was therefore forced to technically adapt to these enhancements in due time.
Oh yes, and then there was another not entirely unimportant participant on the acceptance side, namely the merchant or payment acceptor. And this is where we recognised the weakness of the SCA definition. It cannot be said that the merchants in their very own role are a weak point for itself, but rather that the SCA by definition did not take this last link of the payment acceptance world sufficiently into account in the implementation mandate. The reason for this is once again the “chain of command” of payment surveillance, which has not been thought through conclusively and consistently to the end. Of course, the regulator and surveillance authorities (BaFin/EBA) can only regulate the regulated and supervised parties (Payment Institutions). But blindly trusting that these supervised parties will revolutionise the market on their own initiative and pass on the torment demanded of them to the “offenders behind them” was probably a little too short-sighted. The market is governed by the traditional “chicken and egg principle”. And following this principle, it was almost impossible for the payment acceptance providers to convince the merchants of the salutary benefits of the SCA if used.
Regardless of the SCA’s quarrels, the Covid-19 virus continued its success story and at an increasing pace.
On the payment acceptor side, the wheat was separated from the chaff by the middle of the year with regard to the SCA adjustments to be made. Those merchants who sold their goods via a direct sales model had quickly calculated at least a master plan that should enable them to implement the SCA in accordance with the applicable requirements by the end of the year.
Those market segments that sold their goods via indirect sales channels were much worse off. Due to the chronological separation of order reservation and payment capture, different technical service providers were sometimes entrusted with the processing of the individual tasks in the successive sub-processes of payment execution – sometimes even service providers contractually distributed over several points of payment acceptance. This sometimes made a SCA-compliant payment processing impossible.
The travel and car rental industry (T&H for “Travel and Hospitality”) was particularly affected, as reservations were often made far in advance of the use – and thus the collection of payments – for the respective services. The travel packages often booked via online travel agencies (OTA for “Online Travel Agency”) were collected by different service providers (hotel, airline, rental car, etc.) at a much later date. And for this procedure, even before SCA, these OTAs used virtual credit cards as a one-time mens of payment. With this instrument, the OTAs were able to bind the payer directly to themselves without the payment transaction being processed directly between the service provider and the cardholder. However, since it was known from the SCA definition that virtual cards were exempt from the SCA obligation, the use of virtual cards by the OTAs was thus used as means to an end. This renaissance of virtual credit cards was certainly not in the interest of the service providers, as it only alienated the cardholder even more from the service provider – especially since the OTAs did not provide this service without a corresponding contribution to the service provider.
With the SCA requirements, however, the demand for interactive data exchange between the service providers involved also became louder (use of the so-called MIT framework ). This demand in turn required extensive adjustments in the IT systems and communication protocols of the corresponding service providers. As already mentioned, the creation of this framework required a wide variety of adjustments at different service providers, which realistically made implementation at the turn of the year 2020/2021 impossible.
However, the credit card organisations recognised this shortcoming just in time and, due to the multiplexity of this service provider universe, created a possibility to bring about the affected transactions without the use of virtual cards and without the use of MIT frameworks through a corresponding MOTO labelling of the transactions. Of course, this also required adjustments in the marchant acceptance ecosystem, but it was much easier to realise because this “re-labelling” could be implemented centrally on the machines of the payment acceptance providers.
The MIT framework described above is certainly the last resort in the implementation of SCA requirements – especially if the business transaction is realised via indirect sales organisations such as OTAs. However, by definition, there are some conditions attached to the use of such a framework that need to be observed across the entire service chain. Equally, it should be noted that the acceptance channels used by these different service providers (ECOM, MOTO, POS, etc.) can sometimes be applied in one and the same MIT process.
And it is precisely at this point that an old companion that does not seem new to the payment world returns to the discussion podium: the creation of an “omnichannel solution”. The idea of using omnichannel products to collect payments that were authorised e.g. via an ECOM portal but which are later collected from the service provider via a POS device, and ideally also in compliance with the SCA – i.e. with the help of an MIT framework – is thus the logical consequence of the search for a cross-service provider and platform solution of a holistic MIT framework.
Predestined for the realisation of such a solution would be network service providers (who usually also offer ECOM and MOTO solutions) or PSPs, as both parties are already processing parts of this omnichannel solution on their platforms. It remains to be seen who will be the first to take up the baton in 2021.
In 2019 and 2020, we have already seen two renowned PSPs in Germany (Computop and Adyen) expand their ECOM/MOTO platforms to include POS business. Certainly, this move should be seen primarily in the context of the idea of expanding the service portfolio and the associated market segments. However, it also offers the perfect jumping-off point for the realisation of an omnichannel solution. Network service providers should therefore now be warned to expand their platforms in the direction of omnichannel. This is the only way their platforms can handle all business transactions in a SCA-compliant manner in the medium to long term. In addition, there is the increasing number of ECOM transactions, which, not least due to the Covid-19 pandemic, has triggered changes in the purchasing behaviour of citizens and is prompting network service providers to rethink. It remains to be seen who will be the first to take up the baton in 2021.
The bottom line is: Covid-19 and SCA in cooperation have shifted payments in the direction of digital payment transactions (this also includes the reduction of cash payments) and also demand cross-platform solutions in the sense of the omnichannel approach. Even though the SCA appears to be in full force , it will continue to have a significant impact on the development of payment transactions in 2021.
 MIT stands for “Merchant Initiated Transaction”. This transaction type is exempt from the SCA and can be used when a merchant wants to collect payments without the cardholder being present. The use of an MIT framework in connection with “indirect sales” transactions is a preferred approach of the credit card organisations for the T&H industry but requires adjustments in the systems of all affected service providers in this processing chain and also requires SCA-compliant communication between these affected service providers with additional SCA values.
 In full” here includes the EEC-wide “ramp up” plans of the national surveillance authorities, which partly provide for the 100% implementation of the SCA in monthly steps until the end of March 2021.